From b7d6bea77921233c32499505b206466caa2e6815 Mon Sep 17 00:00:00 2001
From: Abdul Matin <admatinm@gmail.com>
Date: Thu, 11 Jan 2024 11:04:57 +0600
Subject: [PATCH 1/4] Fix the wrong server response match for pg upstream tls

Signed-off-by: Abdul Matin <admatinm@gmail.com>
---
 .../filters/network/source/postgres_decoder.cc               | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/contrib/postgres_proxy/filters/network/source/postgres_decoder.cc b/contrib/postgres_proxy/filters/network/source/postgres_decoder.cc
index 71cf765c8b08d..1ebf1491a37b5 100644
--- a/contrib/postgres_proxy/filters/network/source/postgres_decoder.cc
+++ b/contrib/postgres_proxy/filters/network/source/postgres_decoder.cc
@@ -440,7 +440,8 @@ Decoder::Result DecoderImpl::onDataInNegotiating(Buffer::Instance& data, bool fr
 
   // This should be reply from the server indicating if it accepted
   // request to use SSL. It is only one character long packet, where
-  // 'S' means use SSL, 'E' means do not use.
+  // 'S' means use SSL, 'N' means do not use.
+  // See details in https://www.postgresql.org/docs/current/protocol-flow.html#PROTOCOL-FLOW-SSL
 
   // Indicate to the filter, the response and give the initial
   // packet temporarily buffered to be sent upstream.
@@ -451,7 +452,7 @@ Decoder::Result DecoderImpl::onDataInNegotiating(Buffer::Instance& data, bool fr
     if (c == 'S') {
       upstreamSSL = true;
     } else {
-      if (c != 'E') {
+      if (c != 'N') {
         state_ = State::OutOfSyncState;
       }
     }

From 41741c33c5c3abf9c45d5311c7df62c9f2307196 Mon Sep 17 00:00:00 2001
From: Abdul Matin <admatinm@gmail.com>
Date: Tue, 16 Jan 2024 15:45:03 +0600
Subject: [PATCH 2/4] Update postgres_decoder_test.cc

Signed-off-by: Abdul Matin <admatinm@gmail.com>
---
 .../filters/network/test/postgres_decoder_test.cc               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
index 1a8895c2f72ee..2434e961c03ae 100644
--- a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
+++ b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
@@ -650,7 +650,7 @@ TEST_P(PostgresProxyUpstreamSSLTest, UpstreamSSLEnabled) {
   ASSERT_THAT(decoder_->state(), DecoderImpl::State::NegotiatingUpstreamSSL);
 
   // Simulate various responses from the upstream server.
-  // Only "S" and "E" are valid responses.
+  // Only "S" and "N" are valid responses.
   data_.add(std::get<0>(GetParam()));
 
   EXPECT_CALL(callbacks_, encryptUpstream(std::get<1>(GetParam()), testing::_));

From 5a565f6a44161143ef56b17bf254fe4ff0dcec51 Mon Sep 17 00:00:00 2001
From: Abdul Matin <admatinm@gmail.com>
Date: Tue, 16 Jan 2024 15:46:24 +0600
Subject: [PATCH 3/4] Update postgres_decoder_test.cc

Signed-off-by: Abdul Matin <admatinm@gmail.com>
---
 .../filters/network/test/postgres_decoder_test.cc               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
index 2434e961c03ae..4101ea89df645 100644
--- a/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
+++ b/contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc
@@ -665,7 +665,7 @@ INSTANTIATE_TEST_SUITE_P(BackendEncryptedMessagesTests, PostgresProxyUpstreamSSL
                              // Correct response from the server (encrypt).
                              std::make_tuple("S", true, DecoderImpl::State::InitState),
                              // Correct response from the server (do not encrypt).
-                             std::make_tuple("E", false, DecoderImpl::State::InitState),
+                             std::make_tuple("N", false, DecoderImpl::State::InitState),
                              // Incorrect response from the server. Move to out-of-sync state.
                              std::make_tuple("W", false, DecoderImpl::State::OutOfSyncState),
                              std::make_tuple("WRONG", false, DecoderImpl::State::OutOfSyncState)));

From 2ec1c6d4c8cf9c4d2399629df9dcc9790c8e9da5 Mon Sep 17 00:00:00 2001
From: Abdul Matin <admatinm@gmail.com>
Date: Tue, 16 Jan 2024 15:47:31 +0600
Subject: [PATCH 4/4] Update postgres_integration_test.cc

Signed-off-by: Abdul Matin <admatinm@gmail.com>
---
 .../filters/network/test/postgres_integration_test.cc         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc
index 4e76d27eb2472..8148a0b1f9aab 100644
--- a/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc
+++ b/contrib/postgres_proxy/filters/network/test/postgres_integration_test.cc
@@ -466,8 +466,8 @@ TEST_P(UpstreamSSLRequirePostgresIntegrationTest, ServerDeniesSSLTest) {
   ASSERT_EQ(80877103, upstream_data.peekBEInt<uint32_t>(4));
   upstream_data.drain(upstream_data.length());
 
-  // Reply to Envoy with 'E' (SSL not allowed).
-  upstream_data.add("E");
+  // Reply to Envoy with 'N' (SSL not allowed).
+  upstream_data.add("N");
   ASSERT_TRUE(fake_upstream_connection_->write(upstream_data.toString()));
   config_factory_.proceed_sync_.Notify();